Tag Archive for: RaaS

ShadowSyndicate suspected of being RaaS affiliate to several ransomware families


A suspected ransomware-as-as-service affiliate dubbed “ShadowSyndicate” has been observed operating with a single Secure Shell (SSH) fingerprint on 85 servers since July 2022 and has used seven different ransomware families to launch attacks during the past year.

In a blog post Sept. 26, Group-IB researchers said it’s very rare for one SSH fingerprint to have such a complex web of connections with a large number of malicious servers.

Group-IB said it was unable to confirm for certain if ShadowSyndicate operates as a RaaS affiliate or an initial access broker, but based on its research, Group-IB believed that that threat actor was operating as a RaaS affiliate.

Group-IB based its theory on finding in its research that several watermarks from the seven ransomware groups identified could be detected on a single server, and while it complicates attribution, the researchers said it confirmed their theory that Shadow Syndicate operated as a RaaS affiliate that works with various RaaS groups.  

The Group-IB researchers said they can attribute ShadowSyndicate with a high degree of confidence to Quantum ransomware activity in September 2022, the Nokoyawa ransomware group in October 2022 and March 2023, and ALPHV (BlackCat) activity in February 2023.

The researchers can attribute the following ransomware groups to ShadowSyndicate with a low degree confidence: Royal, Cl0p, Cactus, and Play. ShadowSyndicate was also found to use known off-the-shelf toolkits such as Cobalt Strike, IcedID, and Sliver malware. At least 52 of the servers uses a Cobalt Strike C2 framework.

Group-IB conducted the research on the ShadowSyndicate by forming a Cybercrime Fighters Club with Joshua Penny from Bridewell, Group-IB’s longtime MSSP partner in Europe, and threat researcher Michael Koczwara.

When groups start using technology such as Cobalt Strike, IcedID, and Sliver and SSH servers that are “fingerprintable,” it can go both ways when it comes to attribution, said Mayuresh Dani, manager, threat research at Qualys.

“Unique fingerprints lead to precise attribution and shared fingerprints lead to incorrect attribution,” said Dani. “However, their use of off-the-shelf multiple ransomware families, C2…

Source…

Conti Ransomware: The History Behind One of the World’s Most Aggressive RaaS Groups


The Conti ransomware group has become one of the most notorious cybercrime collectives in the world, known for its aggressive tactics and large scale attacks against a wide range of public and private organizations. Along with other prominent ransomware groups, Conti has underlined the importance of preparing a strong response plan to mitigate the effects of what could be an incredibly damaging blow to a company’s assets, personnel, and reputation.

But while it maintains its place as one of the most prolific ransomware gangs to exist in the cyber threat landscape, Conti has also gained a significant amount of attention in 2022 for activity related to potential internal divisions. Leaked private chats between Conti members and a fracture of the group have left observers questioning the future of the ransomers, prompting a look back on how it became such a fixture in the ransomware landscape.

Understanding this background is not only critical to your organization’s knowledge of Conti specifically, but also gives important context to ransomware threats as a whole. 

Recommended Reading: The Great Cyber Exit: Why the Number of Illicit Marketplaces Is Dwindling

The formation of Conti

Led by Russia-based threat actors, the Conti ransomware variant was first observed in or around February 2020, and the collective quickly became one of the most active groups in the ransomware space. In August 2020, months after its initial debut, the threat actors distributing Conti launched a data leaks site to post confidential documents obtained by attackers. By the end of 2020 the site had leaked the data of more than 150 companies, making them the third most active ransomware leaker group that year, behind only “Maze” and “Egregor.”

Conti operates using a Ransomware-as-a-Service (RaaS) attack model, paying affiliates for successfully deploying the malware into an organization’s system and opening the door for the primary threat actors to further exploit and coerce the victim during the second stage of the attack. Their attack model and structure was exposed in August 2021, when a former Conti affiliate leaked Conti training documents. The threat actor claimed that Conti exploits their…

Source…

How to Prevent Ransomware as a Service (RaaS) Attacks


Connections between other ransomware and APT groups have been noted. MalwareHunterTeam tweeted many similarities between Black Basta and Conti, while Trend Micro Research found correlations between Black Basta and QakBot.

SolidBit

Trend Micro Research analyzed a sample of a new SolidBit ransomware variant targeting users of popular video games and social media platforms. It’s been disguised as different applications, include a League of Legends account checker tool, and an Instagram follower bot, to lure in victims. The malicious actors behind the malware variant have also posted a job advertisement on an underground forum in June 2022 to recruit potential affiliates for their ransomware as a service activities. Affiliates stand to gain 80% of the ransomware payment as a commission.

How to prevent ransomware attacks

Ransomware remains, and always will be, a threat against businesses of all sizes. Organizations can no long take a reactive approach to cybersecurity. As ransom demands increase significantly, cyber insurance carriers have mandated strict anti-ransomware security controls for organizations applying for or renewing coverage. Consider these 5 security practices to prevent ransomware attacks:

5 steps to defend against ransomware

1. Leverage cybersecurity frameworks from the Center of Internet Security (CIS) and the National Institute of Standards and Technology (NIST) for thorough guidance on prioritization and resource management, as well as filling any gaps that could be exposed by attackers.

2. Leverage a unified cybersecurity platform to remove lack of visibility and security gaps caused by disparate point products. Choose a platform that continuously monitors the entire attack surface for early signs of an attack and using advanced detection techniques such as AI-powered technologies, machine learning, and XDR.

3. Follow a zero trust approach to network security by implementing Zero Trust Network Access (ZTNA) technology. ZTNA protects the network by validating access at a point-in-time by checking that patches are installed, the app is domain-connected, etc and authenticating the user’s identity via multifactor authentication (MFA). It will also…

Source…

RiskSense Ransomware Spotlight Report Reveals Surge in Weaponized Vulnerabilities, New Targets and RaaS


RiskSense Ransomware Spotlight Report Reveals Surge in Weaponized Vulnerabilities, New Targets and RaaS

Source…